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Abstract 

We derive the Wu list-decoding algorithm for Generalised Reed-Solomon (GRS) codes by using Grbbner bases over modules 
and the Euclidean algorithm (EA) as the initial algorithm instead of the Berlekamp-Massey algorithm (BMA). We present a novel 
method for constructing the interpolation polynomial fast. We give a new application of the Wu list decoder by decoding irreducible 
binary Goppa codes up to the binary Johnson radius. Finally, we point out a connection between the governing equations of the 
Wu algorithm and the Guruswami-Sudan algorithm (GSA), immediately leading to equality in the decoding range and a duality 
. in the choice of parameters needed for decoding, both in the case of GRS codes and in the case of Goppa codes. 
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I. Introduction 

^ | TN HI, Wu presented a decoding algorithm for Generalised Reed-Solomon (GRS) codes which decodes beyond half the 
O- J. minimum distance. Just like the Guruswami-Sudan algorithm (GSA) J2J, the decoder might return a list of candidate 
codewords, justifying the term list decoder. The two algorithms share many other properties, most notably the decoding radius: 
they can both decode an [n, k, n — k + 1] GRS code up to n — y/ n(k — 1); the so-called Johnson radius. 

>. 

^vq _ The Wu list decoder reuses the output of the Berlekamp-Massey algorithm (BMA). The BMA has long been used for solving 
C\| ■ the Key Equation of GRS codes (3) whenever the number of errors is less than half the minimum distance. Wu noted that the 
result of the BMA still reveals crucial information about solutions to the Key Equation when more errors have occurred, and 
used this for setting up a rational interpolation problem. This problem can be solved by a generalisation of the core of the 
GSA, which solves a similar problem for polynomials. 

■ The equivalence of the BMA and a special utilisation of the extended Euclidean algorithm (EA) is well-studied, e.g. iQ-GD. 
Inspired especially by Fitzpatrick (4), we recast the Key Equation and the first part of the Wu list decoder into the language 
of Grobner bases over certain modules, making it possible to use the EA; a generally more flexible and algebraic approach 
than the BMA. 
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The rational interpolation problem is attacked by first constructing an interpolation polynomial. This can be done by solving 
a large linear system of equations, but that is prohibitively slow. We give a fast method for constructing the interpolation 
polynomial which has the same asymptotic complexity as the fastest known methods for polynomial interpolation as used in 
the GSA. This also renders the Wu list decoder as fast as the fastest variants of the GSA. 

The decoding radius and the choice of auxiliary parameters in the Wu list decoder is governed by having to satisfy a certain 
inequality, just as in the GSA; we point out that in the case of decoding GRS codes, the inequality in the Wu list decoder 
becomes the governing inequality by a simple change of variables, immediately implying that they have the same decoding 
radius and always use the same list size. 

We show how the Wu list decoder can be adapted to decode binary Goppa codes. The algorithm is a continuation of the 
Patterson decoder Q, and the adaption of the Wu list decoder to this case is particularly simple due to the use of the EA 
instead of the BMA. Similarly to the case of GRS codes, we point out a connection between the governing inequality of the 
decoding parameters and the equation for the GSA with the Kotter-Vardy multiplicity assignment method (GSA+KV). This 
immediately yields that the methods have the same decoding radii, namely up to the binary Johnson radius \n — ^y/n{n — 2d), 
where n is the length and d the designed minimum distance of the Goppa code. Using our fast interpolation method, also this 
algorithm is as fast or faster than the previously known algorithms with the same decoding radius. 
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A. Related Work 

The Wu list decoder is fairly recent and not much work has been done on it yet. In both Trifonov 0, J9) and Ali and Kuijper 
ifTOl . an algorithm very closely related to the Wu list decoder for GRS codes is reached using a Grobner basis description. The 
algorithm, however, revolves around two polynomials G(x) and R{x), where G(x) is defined as the polynomial vanishing at 
the evaluation points of the code and R(x) is the Langrange polynomial through the received word coordinates at the evaluation 
points. These polynomials are of higher degree than those used by the original Wu list decoder: the syndrome polynomial and 
a "modulus" x n ~ k . More importantly, they are quite specific to the setting of decoding GRS codes. 

We take a slightly different approach, closer to the original one by Wu. We essentially show how rational interpolation can 
help in solving Key Equations; that is, equations of the form 

j(x)q(x) = 8(x) mod p{x) 

where p, q are known polynomials, and one seeks 7 and S of low degree while additionally having certain knowledge on the 
evaluations of 7 and 5. In the special case of GRS codes, this is exactly what the Wu list decoder does, but our description 
also immediately makes it clear that this can be used for binary Goppa codes. 

The construction of the interpolation polynomial in the GSA is one of the most computationally expensive parts of that 
algorithm. A fast method for this is by Beelen and Brander ifTTl which refines one by Lee and O' Sullivan Q~2|; the main gain 
comes from solving the core polynomial-matrix problem using a faster method by Alekhnovich lfl3l . There is an even faster 
method for this matrix problem by Giorgi et al. [14], and using this in [flD yields the fastest known way of constructing the 
interpolation polynomial. Bernstein uses essentially the same approach for his GSA variant and achieves the same speed ifTSl , 
both for Reed-Solomon codes and alternant codes; see also below. We show how this approach can be extended for rational 
interpolation, which ultimately leads to the Wu list decoder having the same asymptotic complexity as the GSA. 

Binary Goppa codes have long been known to have much better minimum distances than their underlying GRS codes: if 
constructed with Goppa polynomial of degree t, the minimum distance is at least 2t + 1, while it's GRS code has minimum 
distance t+1, see e.g. ITBI . Patterson's classic decoding algorithm utilises the binary property to decode t errors J7J , but recent 
advances in list decoding allows decoding up to the binary Johnson radius J2 = in — \ \Jn{n — 4t — 2) > t, where n is the 
length of the code. 

Simply list decoding the underlying GRS code only reaches n — y n(n — t — 1) < t, so this is not sufficient. However, by 
considering the Goppa code as one constructed with a degree 2t Goppa polynomial by utilising the identity of IfTTl . and then 
using the GSA+KV, one reaches J2, see e.g. Ifl8ll or |fl9l Section 9.6]. Alternatively, one can with the identity of IfTTl use 
Bernstein's decoder for alternant codes which works in a manner closely related to the GSA+KV 03). 

The Kotter-Vardy method does not directly translate to the Wu list decoder, so a different approach is required. Our algorithm 
continues the original insights by Patterson by rewriting the Key Equation of the Goppa code into a reduced one of only half 
the degrees. This combined with list decoding turns out to also reach J2- 

B. Organisation 

The remainder of this article is organised as follows: The introduction ends with some notation and notes on the modules that 
will be considered. In Section [TT] we describe how solutions to certain Key Equation-like equations can be described using 
these modules, and how the EA can find these. In Section [TjTj we introduce the problem of rational interpolation as well as a 
method to solve it for some parameters. We then show how the solution of the rational interpolation problem can be computed 
with low complexity. These two theoretical sections are then utilised in sections [TV] and [V] for decoding GRS codes and binary 
Goppa codes respectively. For each of those code families, we analyse the parameters needed for solving the associated rational 
interpolation problem, and we compare asymptotic running times with previous decoding methods. 

C. Notation 

Let F be a finite field. Define R C ¥[x,y] as all bivariate polynomials over F with y-degree at most 1. In this article, we will 
be considering ¥[x] -modules that are subsets of R. Such a module could just as well be regarded as a subset of ¥[x] x ¥[x]; 
however, using bivariate polynomials does give certain notational advantages. 

We can define term orders as well as Grobner bases over such modules. These definitions follow the general intuition from 
Grobner bases over polynomial ideals. For an extensive presentation, see e.g. l20l . 
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One thing to keep in mind is that term orders over ¥[x] sub-modules of R differs slightly from term orders over the polynomial 
ring ¥[x, y]. For instance, the weighted degree term order giving x weight 1 and y weight 0, as well as lexicographically ordering 
x before y, is a valid module term order for these modules, while it is not valid over F[a;,y]. 

For our discussions on modules and term orders, we define the following notational short-hands, where < is a module term 
order and h(x, y) € R: 

• [hi, ...,ht] — { J2l=i a i{ x )hi{x,y) | di(x) £ F[x]} is the F[x]-module generated by hi, . . . , ht € F[x, y]. 
. Af = deg f(x) for f{x) £ ¥[x}. Also define Af = -oo when f(x) = 0. 

• LT</i is the leading term of h wrt. <. 

• A* (h) = xdeg(LT < h), where xdeg(x l y 3 ) = i. 

• A<(/i) = ydeg(LT</i), where ydeg(a; l y- ? ) = j. 

Note in particular here that the A<(/i) of an h G R is not the usual y-degree of h, but instead the y-degree of its leading 
term. In a sense, it describes the position of the leading term in h. 

II. The Euclidean algorithm and Grobner bases 

Consider the following problem generalised from the Key Equation of algebraic coding theory: we are given two polynomials 
p(x),q(x), and we seek two other polynomials r y(x),5(x) of relatively low degrees which satisfy 

j(x)q(x) = S(x) mod p(x) (1) 

This equation alone might not be sufficient to uniquely determine 7(2;) and S(x), but we would still like to gather as much 
information from the above equation as possible, in a certain sense. 

Consider now the set M = [p(x),y — q(x)] € F[cc,y] as a module over ¥[x}. We easily see that the polynomial 5(x) — yj(x) 
is in M by using the above congruence: 

5{x) - yj(x) = (j(x)q(x) - w{x)p{x)) - yj(x) 
= -l{x)(y - q(x)) - w(x)p(x) 

for some polynomial w(x). We might therefore study M in order to get a good description of 7(2;) and 6(x); we could, for 
example, seek a basis for M in which S(x) — y-f(x) described in this basis has coefficients of low degree. As we will see, this 
can be given by a Grobner basis under a certain module term order. 

For a given ordering, we have the following easy condition for a generating set to be a Grobner basis for the considered type 
of modules: 

Proposition 1. Let M = [p(x),y — q(x)] be a module over ¥[x] for two polynomials p(x),q(x) and let < be a module term 
order. A set G = {h±(x, y), hi(x, y)} is a Grobner basis of M under < if and only if [G] = M and A< [hi) ^ A^- (/i2). 

Proof: Follows straight-forwardly by applying Buchberger's S-criterion. □ 

For any p > 0, define now the module term order < M as the (1,/tt) weighted-degree ordering of [x, y) with x > y. For 
example, x M_1 < AI y < M x M . We can now characterise the form of a Grobner basis for M under this module term order, as 
well as the form of 6(x) — yj(x) in this basis, given a limit on the degree of 7: 

Proposition 2. Let G = {hi(x,y),h2(x,y)} be a Grobner basis for M = [p(x),y — q(x)\ under < M with A^ (hi) = 0. 
Then A^ [hi) + A^ (h 2 ) = Ap. 

Furthermore, if S(x) — yj{x) € M, then there exist polynomials fi(x), f%{x) such that 

S(x) - yj(x) = fi(x)hi(x,y) + h{x)h 2 {x,y) 

If 5(x) < M y"/(x) then these polynomials satisfy 

A/ 1 <A 7 + / i-A^(/i 1 )-l 
A/ 2 = A 7 -A^(/i 2 ) 

If S(x) >^ yj(x) then they instead satisfy 

Af, = AS - A^(hi) 
Af 2 <AS-p-A^(h 2 ) 
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Proof: Let us first prove the degree bounds on hi and /12. Write hi(x, y) = hio(x) + yhn(x) and hi{x, y) = h2o(x) + 
yh,2i{x). Note that hn(x) and h2i(x) are coprime since some linear combination of them gives 1, as y — q(x) £ M. Then 
f{x) — h,2i(x)hx(x,y) — hii(x)li2(x,y) £ M and does not contain y, and is the lowest degree polynomial in M to do so; 
this must be cp(x) for some c £ F, given the definition of M. Therefore A/ = Ap. However, by expanding the expression 
for /, we get 

A/ = A{h 2 i{x)h w (x) - hu(x)h 2 o(x)) 
= A(h 2 i{x)h 1Q (x)) 

where we have used A< /ij = and A<^/i 2 = 1, the latter implied by Proposition Q] 

Now for the statement on S(x) — y-f(x). It is clear that f\, f2 satisfying the first of the equations exist, but we need to show 
the degree bounds. Assume first 5(x) < M yj(x). f-y, fi can be found by the division algorithm, so we consider how this would 
run. As S(x) < M yy(x), we know that h,2 will be used as a divisor first, and it will divide so as to cancel the leading term; this 
first division therefore determines the degree of / 2 to be A7 — A/121 = A7 — A< h.2- We might then perform more divisions 
by /i2 until at one point we use hi; by then the remainder will be reduced to some S(x) — yj(x) with also S(x) > M yj(x), and 
this division then determines the maximal degree of fi to AS — Ahio. The division algorithm ensures us that the iterations has 
"decreased" the remainder, i.e. 6(x) — yj(x) < M S(x) — yj(x) and therefore S(x) <^ yj(x). As < M lexicographically orders x 
before y, we therefore must have AS(x) < A7 + fj, — 1. In all, we get A/i < A7 + n — A^^hi — 1. The case 8(x) > fl yj{x) 
runs similarly. □ 

It turns out that the EA, if running on p(x) and q(x), in a certain manner produces Grobner bases of the module M of module 
term order < M . To prove this, we first need to remind of well-known results on the intermediate polynomials computed by the 
algorithm. For brevity, we don't present the EA algorithm in full, and consequently we can't prove the following lemma, but 
there are many good expositions on the algorithm which includes these results, e.g. Tilborg 12T1 Lemma 4.5.4] or Dornstetter 
0. 

Consider running the Extended Euclidean Algorithm (EA) on p{x) and q(x), and denote by Si(x) the remainder polynomial 
computed in each iteration i; that is, so(x) = p(x), si(x) = q(x) and S2(x), S3 (a;), . . . , sjv(x), sn+i(x) will be the following 
remainders computed, where we know by the EA that sn(x) = gcd(p,q) and sjv+i = 0. Then the EA in each iteration i 
also computes polynomials Ui (x) , Vi (x) such that Si(x) = Ui(x)p(x) + Vi(x)q(x). Furthermore, we have the following lemma, 
whose proof is easy by induction on the precise computations of the EA: 

Lemma 3. If the EA is run on polynomials p(x),q(x) with Ap > Aq, the intermediate polynomials satisfy for each iteration 
i = 1,...,JV+1; 

(i) As,; is a decreasing function in i. 

(ii) = Ui{x)vi-i{x) - Ui-i{x)vi{x) 

(iii) Si(x) = Ui(x)p{x) + Vi(x)q(x) 

(iv) Ap = Au t + As,_i 

We are now in a position to show how each iteration of the EA gives rise to a generating set for M: 

Proposition 4. Let the EA be run on two polynomials p{x), q(x) with Ap > Aq. In each iteration i, let G = {hi{x, y), h2{x, y)} 
with 

hx(x,y) = Si-i(x) - Vi-i(x)y 
h 2 (x,y) = Si(x) - Vi(x)y 

Then [G] = M where M = \p(x), y — q(x)]. 

Proof: Inserting the expression for Si(x) and Sj_i from Lemma [3] (iii), we get 

fhi(x,y)\ = fui-i(x) -v % -i(x)\ f p(x) \ 
\h2(x,y)J \ Ui(x) -Vi(x) J \y-q{x)J 

Now hi(x, y), h2(x, y) and p(x), y — q(x) will be bases for the same module if and only if the determinant of the 2 x 2-matrix 
is a unit. But this is stated in Lemma [3] (ii). □ 

We can now wrap up and show the main result of this section: 

Proposition 5. Let p(x), q{x) be two polynomials with Ap > Aq, and let pi > be an integer. If the EA is run on p{x), q{x) 
and it is halted on the first iteration i where As.j < Av.i + /i, then G = {hi(x,y),h2(x,y)} is a Grobner basis of M = 
\p{x),y — q{x)] with module term order < M , where hi,h2 are chosen as in Proposition^for iteration i. 
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Proof: Clearly there is a first iteration i where As; < Avi + p, for Asjv + i = — oo and Av^+i > 0. Thus, at least the 
(N + l)st iteration satisfies the requirement. Conversely, the O'th iteration does not satisfy it as Aso = Ap and Avo = — oo. 
Now to show that G is a Grobner basis. From Proposition!?] we know that [G] = AI, so by Proposition [TJ we only need to show 
that the leading terms of hi and h 2 have different y-degree under < M . But by the choice of i, we have both A< (hi) = 
and A v <ix (h 2 ) = 1. □ 

III. Rational Interpolation 

We will now describe how to solve the problem of finding rational curves that go through at least some number of prescribed 
points. The method is a generalisation of the GSA 0, and first described by Wu (T). The formulation of our main theorem, 
Theorem [6] avoids some special handling of points at infinity and is due to Trifonov |9). 

We are basically interested in a rational expression j^fy with numerator and denominator of low degrees, which goes through 
at least some r out of n points ((xo, Po), • ■ • 7 (x n -i 5 Pn-ij) where all Xj £ F while (3i £ F U {00}. To handle the points 
at infinity, we can instead consider these as partially projective points (x,,y, : Zj) with ^ = /3j whenever =^ 00 and 
(yi,Zf) = (1,0) otherwise. 

In this language, the interpolation amounts to finding low-degree polynomials fx (x) and f 2 (x) such that for at least r values 
of i, we have yifx(%i) — Zif 2 (xi) = 0. The following theorem is a paraphrasing of Lemma 3]; we omit the proof which 
is a generalisation of the proof of (2 Lemma 4]. 

First a notational short-hand: For a Q £ ¥[x,y, z], we define 

A( Wx , WytW ,)Q{x,y,z) = max{iw x + jw y + hw z 

I ax 1 y-'z h is a monomial of Q(x,y, z)} 
That is, A( Wx ,w ,w z )Q{ x > Vi z ) is the u> y , weighted degree of Q. Now the theorem: 

Theorem 6. Let £,s and r be positive integers, and let {(xo, yo, zo), . . . , (x„_x, 2/n-i, ^n-i)} ^ e 71 points in F 3 where 
for all i either j/j or Zj is non-zero. Assume that Q(x,y,z) = X)i=o Qi{ x )y l z ^~ l !S a non-zero partially homogeneous 
trivariate polynomial such that (xj,t/,,2i) are zeroes of multiplicity s for all i = 0, . . . , n — 1, ana" A( l tlJ2 , Wl )Q < ST, 
for two w\,W2 £ R+ U {0}. For any /wo coprime polynomials /i(x),/2(x) satisfying Af\ < w±, A/2 < W2. &s 
Vih{xi) + z t f 2 {xi) = 0/or af Zeasf r vaZMes o/i. Tnen (y/i(x) + zf 2 (x)) \ Q(x,y,z). 

As with the GSA, such a trivariate polynomial can be constructed by setting up and solving a system of linear equations. Each 
point to go through with multiplicity s corresponds to a similar requirement in a bivariate polynomial (see e.g. (£1 Lemma 1]), 
and therefore gives rise to ^s(s + 1) linear equations, so the total number of equations is given by |ns(s + 1). The number 
of coefficients of Q - and therefore variables of the equation system - is at least ^i=o sr ~ ~ — i) w i> it i s exactly this 
whenever all the terms in the sum are non-negative, but it can actually be more when some of them are negative. Expanding 
and collecting, we therefore have that at least any n,r,wi,W2,£,s which satisfy: 

\ns{s + 1) < st(£ + 1) - \l(l + l)(wi + w 2 ) (2) 

allow for a construction of a satisfactory Q. 

It is easy to see that Q can have at most I factors of the form given in the theorem, as its y-degree is I. For this reason, 
particularly inspired by its use for decoding and in concordance with the GSA, it is called the (designed) list size. 

We are mostly interested in knowing for which values of n, r and wi, W2 we can select s and £ such that the above is satisfied. 
For rational interpolation in general, a minimal selection of s and £ given these parameters is done in (8), so we will not repeat 
it here. When we will later use rational interpolation in the application of decoding in sections [IV] and |V] we will show a 
relation between the parameter choices of the particular instances of rational interpolation and similar instances of polynomial 
interpolation using the GSA respectively GSA+KV, and this turns out to immediately give us bounds on r as well as values 
for s and £. 

Theorem |6] parallels a result for polynomial interpolation as used in the GSA, see e.g. |2] Lemma 5]. However, for the 
application of decoding, it is not quite enough; when we later need to solve a rational interpolation problem for decoding, we 
seek fx and f 2 which interpolate the error positions, and therefore an unknown number of points, but their maximal degrees 
increase with the number of points they interpolate. This means that we can't use Theorem |6] directly: setting r low while the 
allowed degrees of fx , f 2 high would not allow us to construct Q, while setting r high would not guarantee that we found fx 
and f 2 when only few points were interpolated. Luckily, we have the following lemma which says that the Q we construct 
for high r will also find fx and f 2 that interpolate fewer points, as long as their degrees decrease appropriately: 
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Lemma 7. Let Q(x,y,z) satisfy the requirements of Theorem^for some (t,£, s, W\,W2). Then Q(x,y,z) also satisfies the 
requirements for (r, £, s, Wx,W2) as long as 

min{wi - w\ , w% — ^2} > § (r — f) 

Proof: As the interpolation points and multiplicity as well as the list size have not changed, we only need to show 

An ,w%,w\)Q < ST We have: 

— min{i(u>2 — W2) + {£ — — W\) | < i < £} 

< st — £min{u>i — t&i, W2 — 1&2} 

Therefore Q satisfies the degree constraints whenever 

st — £min{wi — Wx, W2 — W2} < sf 

min{wi - «3i, «7 2 - w 2 } > j(t — f) □ 

A. /m? interpolation 

As mentioned, the interpolation polynomial Q(x, j/, z) can be constructed by setting up and solving a linear system of equations. 
However, without more thought, this would have a cubic running time in the size of the equation system, which is prohibitively 
slow. In this section, we describe a fast way to construct the polynomial, building heavily upon ideas from the similar problem 
in the GSA, in particular Lee and O' Sullivan lfl2l and the subsequent refinement in Beelen and Brander ifTTI 

In the context of Theorem [6j consider given values of the parameters. We will assume that £ > s; in later sections where 
we apply rational interpolation, this turns out always to be the case. Consider now the set W C ¥[x, y, z] consisting of all 
polynomials homogeneous of degree £ in y and z, and which interpolate the n points {(xo, yo, zo), . . . , (x n -i, y n -i, z n -i)}, 
each with multiplicity at least s. Our goal is then to find a non-zero Q £ W of lowest possible (1, W2, wi)-weighted degree. It 
is easy to see that W is an ¥[x] -module. The approach is to give an explicit basis for W, represent this basis as a matrix over 
¥[x] and then use an off-the-shelf algorithm for finding the "shortest" vector in that matrix, "short" being defined appropriately. 
This will correspond to a satisfactory interpolation polynomial. 

Let us assume without loss of generality that each 2^ £ {0, 1}. Define the following polynomials which will turn out to play a 
crucial role: R v {x) and R z (x) will be the Lagrange polynomials interpolating (a;,;, yi) respectively (a;j, zi), i = 0, . . . , n — 1. 
Define also G(x) = Yi^o^ — x *) as we ^ as 9z( x ) = S' c d(G, i? 2 ). Now, there must exist \i(x), \2(x) £ ¥[x] such that 
g z (x) = Xi(x)G(x) + \2(x)R z (x). Define T(x) = (\2{x)R y (x) mod G(x)), considered in ¥[x]. Note that T(xi) = \2(xi)yi 
for all i = 0, ... ,n — 1. We begin with a small lemma: 

Lemma 8. Let P(x,y,z) £ W and P(x,y,z) = Pj{x)y j z e ~:> . Then g z {x) j -^- s ^ | Pj(x) for j = £ - s + 1, . . . , I 

Proof: Let L — \xi\zi = 0} so g z = YlieL( x ~ Xi )- ^ s ^ interpolates the points (xi,yi,Zi) with multiplicity s, 
P(x + Xi,y + yi, z + zi) can have no monomials of total degree (in x, y and z) less than s. For Xi £ L we have P(x + 
Xi,y + yi, z + Zi) = Ysj=o Rj( x + x i)(y + Vi) 3 z e ~i . All the terms in the sum have different z-degree, so nothing between these 
terms cancels, and so each can have no monomials of total degree less than s. In particular, since Zi = we have yi ^ 0, so 
multiplying out the power of y + yi, this implies that Pj(x + Xi)yf z e ~^ has no monomials of degree less than s. But then for 
j = £ — s + 1, . . . ,£ we get x^^^^ \ Pj(x + xt). This implies the sought. □ 

The main result is the basis for W; it looks complicated, but the important thing is that it is directly calculable given 
the rational interpolation problem. We introduce for any x £ R the function pos(x) := max(x,0). Note the easy identity 
pos(x) — pos(— x) = x. For the proof, we also use the phrase "leading monomial' of a trivariate polynomial P(x, y, z) as the 
monomial of highest y-degree when P is regarded over F[a;][y, z], and the "leading coefficient" is the F [x] -coefficient of the 
leading monomial. 

Theorem 9. Let for j = 0, . . . ,£ 

B U) = {g z y - Tz) poais - j) (yz ~ R yZ y-p°*U-V- s ))-p™U-s) 

^ z G_^pos(j-(i-s)) ypos(is-j) z pos(j-s) 

Then W = [B( ),...,BW]. 

Proof: First, it should be proved that each are of total degree £ in y and z. By summing all the terms' exponents, 
counting each yz — R y z 2 twice, and using the identity for pos(-) given above, one sees this is so. 
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To show that each the B' 1 ') are in W, note first that yz — R y z 2 interpolate all (xi, j/j, Zj). This is also true for 2— and g z y — Tz, 
since either 2^ = 0, whereby they obviously both evaluate to 0, or xi ^ L which gives ^A\ x=Xi = as well as 

g z {xi)yi - T(xi)zi = (Xi(xi)G(xi) + X 2 (x i ))y l - A 2 (a; i )2/i 
= 

For each £?w to interpolate the points with multiplicity at least s, we need only to verify that the sum of the exponents of 
the three terms g z y — Tz, yz — R y z 2 and Zj- is at least s for all generators; this is quickly seen to be true. 

We need then only to show that any P S W can be expressed as an ¥[x] -combination of the B^K There are two cases to 
consider, I — s < s and £ — s > s. We will only show the latter case, and the former follows similarly. So assume £ — s > s. 
Observe that i?w has y-degree exactly I — j. The proof now basically follows the multivariate division algorithm on P under 
lexicographical ordering y > z > x; i.e. dividing with the aim of lowering the y-degree. 

First observe that the leading coefficient of B^ is g z (x) s . By Lemma [8] we can perform polynomial division of P by B^ 
and get a remainder (x, y, z) of y-degree at most £ — 1. As B^ € W so is P^ € W. We can continue as such with B^' 
for j = 1, 2, . . . , s — 1, as each of these has leading coefficient g z (x) s ~ : ' and Lemma [8] promises that the remainders will 
keep having leading term divisible by exactly this. We thus end with a remainder P^ with y-degree at most £ — s and in W. 

As £ — s > s then for j = s, ...,£ — s we have (x, y, 2) = (yz — R y z 2 ) s y e ~ s ~ : > z J_s . They all have leading coefficient 
1, so we can reduce P^ 8 ' with B^ s \ reduce the remainder of that with _B( S+1 ) and so forth, until we arrive at a remainder 
p(e-s+i) w j tn ^.degree at most s — 1. 

Still we have p( l - s+1 ) g W so the (xi, y,i, Zj) are all zeroes with multiplicity s. Therefore P^ l ~ s+1 \x + x i7 y + y i: z + z.i) 
has no monomials of degree less than s. Let L = {xi\Zi ^ 0} and let P^~ s+1 \x, y, z) = S+1) (x)y J z l ~' . For 

Xi € L, we see by expanding the powers of both y + yi and z + Zi that P^~ s+1 ) (.t + .T,,y + yi,z + Zi) has a monomial 
P^/Si +1 \x + Xi)y s ~ 1 z':~ s which does not cancel with any other term. Therefore, x \ P s _^ s+1 ^(a; + Xi) (a; — Xi) \ 

p(t--s+X)^ Co jj ectmg f or a n x . e JJ, we g et £ j p s ( ^' 5+1) - Note that, as £ - s > s, then P^~ s+1 ) (x) has leading coefficient 
Thus, we can divide p( e ~ s+1 *> (x, y, z) by (.t) and get remainder p( £ ~ s + 2 ) f y-degree at most s — 2. 

Now, the exact same argument as above can be repeated for p( £ - s + 2 ) i but one finds that (x — Xi) 2 must divide the leading 
coefficient for each Xi € L. Therefore, we can divide by iJ<^~ s + 2 ) whose leading coefficient is {j-) 2 - We can continue this 
way with all the remaining Bti), until we find that the last remainder must be divisible by ( — ) s z i = B^\ □ 

With a concrete basis for W in hand, we wish to find an element in W with lowest possible (1, W2, u>i)-weighted degree. 
Write the B^ of Theorem |9] as B^(x,y,z) = Ya=q B< i\ x )v i ^ ■ Construct now the matrix II e F[x]^ +1 ) x ^ +1 ) where 
the (j, z)'th entry is B^\x). The B^ (x,y, z) thus constitute the rows of II. In this manner, we can represent any basis of 
W as an [l + 1) X (I + 1) matrix, and any P € W can be represented as a vector in the row span of such a basis matrix. 

Consider a vector V in the row-span of II, and denote by \V\ := maxy .^o{AVj + jw 2 + {£ — j)wi} where Vj is the 7 ' th 
component of V. A shortest vector in II under this metric will correspond to a polynomial in W which has the lowest possible 
(1 , W2 , W\ ) -degree. Any algorithm which can compute a shortest vector in the row-span of an F[x]-matrix under this metric 
will therefore be usable to solve our problem. 

The usual approach of such algorithms is to compute a so-called row reduced basis matrix, where the sum of the basis elements' 
lengths is minimal. It is well known that the shortest vector in the row space will be present in this reduced matrix, see e.g. 
0~3), ll22l . This problem is widely studied and it has several different guises and names: Grobner basis reductions over free 
¥[x] -modules IfTSl . row reduction of ¥[x] -matrices |[T4|| . and basis reduction of ¥[x] -lattices l23l . 

The fastest method in the literature for our purposes is due to Giorgi et al. in fl4l . If 6 is the highest degree of any polynomial 
in the initial basis matrix, and the basis matrix is v x v, then the algorithm has complexity Oiy^OXog ^- 1 ' (v9)), where 0(^") 
is the complexity for multiplying two v xv matrices with elements in F. Trivially cj < 3 but methods exist with u> < 2.4 1241 . 
To bound the running time of applying the algorithm on our problem, we have the following: 

Lemma 10. In the context of Theorem [9] and the discussion above, the entries of II all have degree at most sn. 

Proof: The entries of II are all of the form figl 1 T j2 i?^ 3 ( — p 4 where j3 e F and ji,j 2 , J3, J4 are non-negative integers 
summing to at most s. The lemma follows as the four base polynomials are each of degree at most n. □ 

The algorithm in lfT4l does not directly support the different "column weights" that our vector metric demands, but this can 
be amended by first multiplying the j'th column of II with x : ' W2+ ^ e ~^ Wl and then finding the usual row reduced basis. The 
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powers of x can then be divided out from the resulting reduced basis afterwards. This does not change the complexity of the 
algorithm whenever wi,w-2 G 0{n), which follows if we assume r 2 > n(w\ + W2)', an assumption which turns out to be 
true for our applications in later sections. One should also note that for finite fields F, the algorithm might need to calculate 
over an extension field, though without affecting the asymptotic running time, as pointed out by Bernstein lfT31l . This entire 
discussion can be distilled into the following: 

Lemma 11. For given values of the parameters of Theorem\6\where I > s and t 2 > n{w\ + W2), an algorithm exists to find 
a satisfactory interpolation polynomial in complexity 0{£ u snlog 01 ^ {£n)). 

Proof: As soon as one has constructed IT, the result follows from Lemma [10] and the complexity of the algorithm in 
iTPfl . so we just need to show that we can compute II in the given speed. Let M{6) be the complexity of multiplying two 
polynomials of degree 9. Computing R y ,R z and G by Lagrangian interpolation can be done in complexity 0(M(n) log n), 
see e.g. |25l p. 235]. T and g z can be computed using the Euclidean algorithm in 0(nlog 2 n). For a polynomial of degree 
n, computing all the first s different powers of it can be done iteratively in 0{sM{sn)). Each entry in IT is a multiple of 
g z ,R y , y and T to a combined power of s, so after each of their s powers have been computed, each of the 0(£ 2 ) entries in 
II can be computed in 0(M(sn)). Using Schonhage-Strassen, we can set M{9) = O{0 log 9 log log 8), see e.g. l25l Theorem 
8.23], and inserting this into the above, we see that II can be computed in 0{£ 2 M{sn)) C 0{£ 2 sn log 6 {in)). □ 

Remark: Another algorithm that can be used to handle the interpolation problem is the row-reduction method of Alekhnovich 
|fl3l , which also has been used in the interpolation method by Beelen and Brander. ffTTl . This method could also be used here 
but would yield the slightly worse running time O{£ 4 slog 2+O ^ 1 \£n)). ■ 

After having computed the interpolation polynomial Q{x,y,z), one needs to find factors of the form yf\{x) + zf 2 {x) with 
/ij/2 € F[x]. Any such factor except z will also occur as an ¥{x) factor in the dehomogenised version of Q. Thus, any fast 
algorithm for computing this will suffice. In (TJ, Wu describes an extension to the root-finding method of Roth and Ruckenstein 
(RRR) 1261 for finding ¥{x) roots of a F[x][y] polynomial: he remarks that simply applying the original RRR will find the 
truncated power series of each ¥{x) root; retrieving a long enough such series and applying a Pade approximation method like 
the BMA or the EA will retrieve the polynomial fraction. A divide-and-conquer speed-up of the RRR described by Alekhnovich 
in lfl3l Appendix] applies just as well to this extension^ We arrive at the following 

Lemma 12. In the context of Theorem® there exists an algorithm which finds all factors ofQ{x,y, z) of the form yfi{x) + 
zfi{x) in complexity 0{£ 2 sn\og{£n) 2+0 ^), where q is the cardinality of ¥ and assuming q G 0{n). 

Proof: The root-finding algorithm described in |[T) will have the complexity of running the RRR followed by at most £ 
applications of the EA, each on a truncated power series of degree 0{t) € 0{n). The EA applications will have complexity 
0{in log n) which is in the complexity of the lemma. 

For running the RRR, Alekhnovich reports a complexity of 0{£°^9 log 9), where 9 is the x-degree of Q{x,y 7 z); however, 
his analysis can be improved: in the context of his proof, choose a fast factoring method over ¥[y], e.g. from l25l Theorem 
14.14], and so set f{l,£) = 0{£M{£)\og{q£)). The non-recursive cost of f{8,£), i.e. the term £°^9, can be improved to 
£ 2 M{9), as an upper bound cost of the £ different calculations of the shifts Q{x, yi + x di y). Now the recursive bound has the 
improved solution f{6, £) G 0{£ 2 M{9) \og9 + 8£M{£) log{q£)). We have 9 G 0{sn) and assume q G 0{n) and thus arrive at 
the complexity of the lemma. □ 

An alternative factorisation method with roughly the same complexity is proposed by Bernstein in 031 by accommodating a 
more classical root finding method in Z[x] by Zassenhaus; see also l25l Chapter 15]. 

IV. WU LIST DECODING FOR REED-SOLOMON CODES 

We can now derive the Wu list decoder in a succinct manner using the Euclidean algorithm instead of the Berlekamp-Massey 
algorithm (BMA). This derivation is inspired by Trifonov's derivation |9j, though ours is slightly more general and uses shorter 
polynomials in the computations. 

A. The codes 

An [n,k,d] Generalised Reed-Solomon (GRS) code over a finite field F g is the set 

{(V0V(<X0), ■ ■ ■ ,Vn-lV(an-l)) I V S Vq [x] A A?/ < fc} 
'We are grateful to the anonymous reviewer for pointing out the extension of Alekhnovich to us as well as the improvement to its running time analysis. 
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for some n distinct non-zero ao, . . . , a n _i G F g as well as n non-zero vo, . . . , G F g . The ctj are called evaluation points 
and the u.j column multipliers. It is easy to show that e? = n — k + 1 and the code is therefore MDS. See e.g. |[T9l for a 
comprehensive introduction to GRS codes. 

Consider a sent codeword c = (co, . . . , c„_i) and a corresponding received word r = (ro, • • • , TVi— 1). Then the syndrome 
polynomial is computable by the receiver and can be defined as 

n—k—l n—1 

s(x)= J2 * i Y, r M a J~ 2 ~ i (3) 

where Wj = (vj Yih^j( a j ~ a h))^ 1 - If we denote the set of error locations by E, that is, E = {i | Cj ^ rj}, we can define 
the error-locator and error-evaluator polynomials respectively, as follow^: 

ieE 

tow = -j2( n -Ci)^ -1 ^ n ( x ~ a ^ 

i&E jeE\{i} 

Clearly, the receiver can quickly retrieve c from r if he constructs A and fi, as the error locations are the roots of A, and the error 
values are the evaluations of fi in the respective error location (up to a calculable scalar). Note that therefore gcd(A, CI) — 1 
as the elements of E are all the zeroes of A but definitely not zeroes of ft. The three defined polynomials are related by the 
famous Key Equation (see e.g. |fl9l or (27)): 

A(x)S(x) = tt(x) mod x^ 1 (4) 

Many decoding algorithms solve this equation for A and O, and construct c from r using these. That is also what our list 
decoder will do. 



B. The list-decoding algorithm 

Using the Key Equation and the results of Section [TTTJ we can construct a list decoder. By (|4]i as well as ([T|i on page [3] and 
the paragraphs following it, we know that Q(x) — yA(x) G M = [x d ~ 1 ,y — S(x)]. If we run the EA on x d ~ x and S, by 
Proposition [5] we get a Grobner basis G — {hi, /12} of M of module term order < (tl for any integer p > 0. We choose (j, = 0. 

Let e = \E\ be the number of errors, unknown to the receiver. Then Afl < AA = e. As AA > AO, then yA(x) >o f2(x). 
Assume now that A< /12 = 1 (and therefore A< hi = 0). Therefore, by Proposition [2] we know there exist polynomials 
fi,h € ^\ x \ su ch that 

n(x) -yA(x) = fi(x)hi(x,y) + f 2 (x)h 2 (x, y) 

A/i < e - d + A x <Q (h 2 ) (5) 
Af 2 = e-A* <o (h 2 ) 

We see that whenever e < L 1 ^]* either the degree bound for fi or that for f 2 will be negative, and that one will then be 
zero. Therefore Q(x) — yA(x) will be a multiple of either hi or h 2 . As A< (f2(x) — yA(x)) = 1, it must be a multiple of h 2 . 
However, as A and Ct are coprime, that multiple must be the constant that normalises h 2 to have leading coefficient 1, just as 
A(x). This corresponds to the Sugiyama decoding algorithm 1281 . 

In case neither hi nor h 2 is valid as Q(x) — yA(x), we know that fi and f 2 are non-zero, so there are more errors than half 
the minimum distance; then we proceed exactly like regular Wu list decoding using BMA. We know that for at least e values 
of xq G {ao, . • • ,a„_i}, we have A(xq) — 0, namely the error locations. Therefore, by (0, for at least those e values of Xo, 
we have fi(xo)hu(xo) + f 2 (xo)h 2 i(xo) = 0. Thus, for this to be a rational interpolation problem as in Section Hill we just 
need to ascertain two properties: 1) that hu(x) and h 2 i{x) never simultaneously evaluate to zero since they are coprime, as 
a linear combination of hi and h 2 equals y ~ S(x) G M. 2) that fi and f 2 are coprime since A and il are. 

From the results developed in Section [III] we can therefore solve this rational interpolation problem for certain values of 
I as well as the parameters n and d: we construct a partially homogeneous interpolation polynomial Q(x,y,z) which has 
zero at all the points (cti, hn(ai), h 2 \{oti)) for i = 0, . . . ,n — 1. Under certain constraints on the degrees of Q(x, y, z), then 

2 The reader familiar with the three polynomials might notice our slightly unorthodox definition of them; many sources use an error-locator which reveals 
the inverse error positions, i.e. A(a~ 1 ) = iff the i'th position is in error. This also yields a slightly simpler syndrome polynomial. However, in the case of 
Goppa codes, the above definition of the error locator is more natural, and we have opted for consistency in this article by also using that here. 
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yfi( x ) + z Jiix) will be a factor of Q(x, y, z). The following subsection looks closer at the possible choice of parameters to 
derive the upper bound on r. The complete list decoder is listed in Algorithm Q] 

Remark: There is a duality between the GSA and the Wu list decoder: in list decoding GRS codes with the GSA, one sets up 
an interpolation problem where the sought solution - the information word - will pass through those of the prescribed points 
that correspond to the error-free positions. Oppositely, here we seek fx, fi that pass through those of the prescribed points that 
correspond to the errors positions. ■ 



C. Analysis of the parameters 

It is clear that in Theorem [6] we should set wi,W2 equal to the bounds on A/i,A/2 in (0 for the case e — r; so w = 
wi +w-2 = 2r — d. Note therefore that in this instance, w is always an integer. The main question is then for which t we can 
select £ and s such that (ffj is satisfied. Inserting the value for w and rearranging, (ff]) becomes 



n (£+l)(£-s) \\ 2 J n \ 2 

Replacing s by I — s this is exactly the equation governing the choice of parameters s, £ and r in the GSA for the same values 
of n and d, see e.g. |fl9l Lemma 9.5]. This means that for all parameters of the GSA where the multiplicity is less than £, this 
substitution applies, giving valid parameters for Algorithm l|j We arrive at the following two lemmas: 



Lemma 13. Algorithm [JJ can list decode for any t < n — W 'n(n — d). 

Proof: For any given n, k,r with r less than the given bound, there exists a valid list size £ and multiplicity sq such 
that the equation of the GSA is satisfied, and furthermore sq < £, see e.g. lfT9"l Lemma 9.5]. Except in the case sq = £, the 
above duality applies and we are done, so assume sq = £■ As the governing equation of the GSA is satisfied, this means 
n < (1+1)1 i^ 1 ) n so t < f> but in this case we are within minimum-distance decoding. Thus, Algorithm 1 will succeed in 
Step 3. 

Thus we have established that for any given r less than the given bound, we can select values of s and £ such that the sought 
fx, /2 can be found using Theorem [6] whenever e — r. Now, to be guaranteed to find them also whenever e < r, we also need 
to employ Lemma [7J This can be used if it is satisfied that 

min{u;i - Afx,w 2 - A/ 2 } > f(r- e) 

Note that wi — A/i > t — e using (0. The same holds for u>2 — A/2. Therefore, the above is true at least if we satisfy 

r-e>f(r-e) s<£ 

Thus, Lemma [7] guarantees that as long as s < £, then the Q(x,y,z) we would construct satisfying the requirements of 
Theorem [6] will contain yfx(x) + 2/2(2;) as a factor whenever e < r. But s < £ is satisfied as sq < £ in all considered cases 
of the GSA and s = £ - s G by the duality. □ 

Remark: This decoding radius - the so-called Johnson bound - is not the best one can achieve for a given G RS code: using 
the GSA+KV one can decode slightly further, namely up to the g-ary Johnson bound (n — ^Jn(n — -^jd)), see e.g. lfl"8l 
or EU Section 9.6]. ■ 

Lemma 14. For given n, k and t with t > then £ and s are valid choices for the parameters for Algorithm [JJ and 

only if £ and Sq = £ — s are valid choices for the GSA. Furthermore, for any given £, let s be the lowest possible choice of 
multiplicity for Algorithm\l\and sq the lowest possible choice of multiplicity for the GSA; if t < n/2 then s < sq, otherwise, 
s > s G . 

Proof: Only the last claim does not directly follow from the duality in parameter choice. Consider (0 governing the 
possible choice of s for Algorithm!]] rearranging to a second-degree equation in s and solving, we get that s/£ must be chosen 
from the interval [T — \/15] T + \fD\, where T = — + ^—jr^ and D a discriminant whose precise expression is not important 
for us. Due to the duality between Algorithm [JJ and the GSA, the corresponding interval for valid sq/£ for the GSA will be 
[1 — T — \/~D: 1 — T + \/~D]. In addition to residing in these respective intervals, we only require of s/£ and sg/£ that s and 
sg are positive integers less than £. Therefore, whenever r < n/2 we have T > i, so the lowest possible choice of s in the 
former interval must be at most the lowest possible in the latter interval; oppositely for the case r > n/2. □ 

To concretely choose £ and s given n, k and r, we can — due to the above lemma — use closed expressions designed for the 
GSA; e.g. l29l Eqs. (43-45)]. Alternatively, Trifonov and Lee give a simple analysis and expressions directly for the Wu list 
decoder in 0. 



3 We are grateful to the anonymous reviewer for pointing out this relation to us. 
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Algorithm 1 Wu list decoding GRS codes 

Input: A GRS code C over ¥ q with parameters n,k,d = n — k + 1 and evaluation points ao, ■ ■ • , cxn-i> decoding radius 

t < n — y/n(n — d), and received word r G F^ 1 . 
Output: A list of all codewords in C within radius r of r or Fail if there are no such words. 

1: Calculate the syndrome S(x) from r according to yj. 

2: Run the EA on x d ~ 1 ,S(x) and halt when Asi < Av.i, reusing the notation of Section HI1 Define hi(x) = —Vi-i(x) and 
h 2 (x) = —Vi(x). 

3: If ti2 is a valid error-locator of degree at most d — r, use it to correct r, and if this yields a word in C, return this one 
word. 

4: Otherwise, we seek /i,/2 according to (01. Set wi,W2 to the degree bounds of /i and /2 for the case e = r, and 
calculate £ and ,s to satisfy ©. Construct a Q(x, y, z) satisfying the requirements of Theorem [6] using the points 

{(cti, /ii(a i ),/i2(a t ))}" = : 1 . 

5: Find all factors of Q(x, y, z) of the form yf*(x) + zf£(x) where /* and /| have degree less than wi and W2 respectively. 

Return Fail if no such factors exist. 
6: For each such factor, construct A*(x) = f^(x)h\(x) + f£(x)fi2(x). If it is a valid error-locator, use it for correcting r. 

Return Fail if none of the factors yield error-locators 
7: Return those of the corrected words that are in C. Return Fail if there are no such words. 



D. Complexity analysis 

The complexity of the totality of Algorithm Q] is easily found using the results of Section IIII-At note that r 2 > nw whenever 
t < n — \Jn — d so we can use LemmaQT] For simplicity, we will assume that q € 0(n) where q is the cardinality of F. In that 
case, as I > s, steps 4 and 5 can be computed in 0(£ u+1 n log ' 1 -* (in)). The remaining steps are of lower order: calculating 
S(x) in step 1 can be done in 0(n log n) using fast Fourier methods, and the EA in step 2 has complexity 0(nlog 2 n). 
Checking whether a polynomial is a valid error-locator takes at most 0(q), and in step 3 we check 2 such, while in step 6 we 
check at most i such. Thus we have the following 

Lemma 15. If q € 0(n) then Algorithm\J\has complexity 0(£ u sn log°^ (in)). 

Using Lemma [14] we can compare running times with those for variants of the GS A. In this light, the above estimate is fast 
as the fastest GRS list-decoders based on the GSA. The bottle-neck is - as it is here - the construction of an interpolation 
polynomial. Beelen and Brander gave in ifTTI an algorithm for computing the interpolation polynomial in the GSA with 
complexity 0(i 5 n log 2 n log log n), using an approach very close to the one here, and using a row reduction algorithm on 
an appropriate polynomial matrix. However, had they used the one by Giorgi et al. lfT4l instead of the slightly slower by 
Alekhnovich ff3l . they would have reached the same complexity as in Lemma Q3J but using the value of s needed for the 
GSA. 

It would therefore seem that, when the multiplicity for Algorithm Q] is smaller than the multiplicity for the GSA, Algorithm 
Q] would be faster than the GSA, though as we have only presented asymptotic analysis, one would need implementations 
to properly verify this. From Lemma [14] and its proof, we know that the multiplicity for Algorithm Q] is smallest whenever 
r < n/2 and that the difference to the multiplicity of the GSA increases with £ 

Bernstein also gives a decoding algorithm in lfl5ll with the same complexity, but his is a varia nt of the GSA+KV, and it can 
thus decode a GRS code to the slightly higher q-ary Johnson radius: ^— -(n — , /n(n ~r^)); see a l so Section IV-DI 



V. WU LIST DECODING BINARY GOPPA CODES 



A. The codes 



Consider an irreducible polynomial g(x) € F2"»[a;] as well as n distinct elements of F2™, L = (cto, . . . , a n -\). Then the 
irreducible binary Goppa code T(g, L) with Goppa polynomial g over L is the set 



(ci,... )Cn )eFS 



E: 



i=0 



x — a; 



mod g(x) 



This code has parameters [n, > n — mAg, > 2Ag + 1}. A binary Goppa code T(g,L) is a subfield subcode of an [n, n 
Ag, Ag + 1] GRS code over ¥2™. It is also an alternant code. See e.g. Ifl6l for a more complete description. 
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Consider a sent codeword c = (cq, . . . , c n -i) and a corresponding received word r = (ro, . . . , r n _i). For these codes, a natural 
definition of a syndrome polynomial is then 

Like in the preceding section, we also define E, the error-locator and error-evaluator, the last being slightly simpler due to the 
binary field: 

E = {i | Q ^ r t } 

^)=e n 

ieEjeE\{i} 

Introduce also e = \E\ as the number of errors. We have again that gcd(A, f2) = 1. It also turns out that the introduced 
polynomials satisfy a Key Equation Q: 

A(x)S(x) = fi(x) mod g(x) (8) 

Note that for a binary code, the receiver can decode immediately upon having calculated the error locator, even without the 
error evaluator; the error value is always 1 . 



B. The list-decoding algorithm 

Now we could proceed exactly as in Section [TV-BI and we would arrive at a list decoder correcting up to n— v/n(n — Ag — 1) 
errors. This is the same decoding radius reached by simply decoding the enveloping GRS code with the GSA or the Wu decoder. 
However, this radius is much less than Ag which is promised by the minimum distance of the binary Goppa code, and which 
can be corrected by Patterson's decoder Q. 

Therefore, we proceed to rewrite the Key Equation in the same way as Patterson. In the following, it will be useful to assume 
e < 2Ag as an initial and reasonable bound on our list decoder. Then, collecting even and odd terms, we can introduce 
polynomials a(x),b(x) such that A(x) = a 2 (x) + xb 2 {x) and satisfying Aa < |_§J and Ab < L^ir"J- Now, note from 
the definition of the polynomials that Q,(x) equals the formal derivative of A(x), so we get Q,(x) = b 2 (x) in this field of 
characteristic 2. The Key Equation thus becomes 

(a 2 (x) + xb 2 (x))S{x) = b 2 {x) mod g{x) 

b 2 {x){x + S-\x)) = a 2 {x) mod g{x) (9) 

Note here that calculating the inverse of S(x) modulo g(x) is possible since AS < Ag and g(x) is irreducible. 

It might now be that S^ 1 (x) = x mod g(x) in which case a 2 {x) = mod g(x). As g(x) is irreducible, a(x) must be a 
multiple of g(x), which means that a(x) = as e < 2Ag. This implies A(x) = xb 2 (x), which is only a legal error locator if 
e L and b(x) = 1. So in that case, A(x) — x is the only valid solution to the Key Equation, resulting in one error to be 
corrected. 

Having taken care of the case S^ 1 (x) = x mod g(x), let us now assume that this is not the case and continue. As g{x) is 
irreducible, V2^\x\/ (g(x)) is a finite field of characteristic 2, so we can compute a square-root; in particular, we can find an 
S(x) such that S 2 (x) = x + S^ 1 (x) mod g(x) and AS < Ag. This value is directly computable by the receiver after having 
computed S(x). Inserting S(x) in (O, we get 

b 2 (x)S 2 (x) ee a 2 (x) mod g{x) <S=^> 
b{x)S{x) = a(x) mod g(x) (10) 

Now we are in the case of a new Key Equation, where the degrees of the unknown polynomials are halved! We proceed in a 
manner resembling that of the GRS codes from the preceding section. The above equation tells us that a(x) — yb(x) 6 M = 
[g(x), y — S(x)]. If we run the EA on g(x) and S(x), by Proposition [5] we get a Grobner basis G = {hi, /12} of M of module 
term order < M for any integer fi > 0; for reasons becoming apparent momentarily, we choose \i = 1. 

By Proposition |2] we know there exist polynomials /1, /2 € ¥[x] such that 



a(x) - yb(x) = f 1 (x)h 1 (x,y) + f 2 (x)h 2 {x,y) 



(ID 
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Remembering Proposition Q] assume that A v < h 2 = 1 and therefore that A y <i hi = 0. Now, the case here is slightly more 
complicated than that of the GRS codes, as we do not know a priori which of a(x) and b(x) has the largest degree. If e is 
even then Act = | and Ab < § — 1 whereby a(a;) >x yb(x). From Proposition [2] we then get 

A/^Aa-A^^x) = §-A 5 + A* 1 (ft 3 ) 

A/ 2 < Aa - 1 - A< 2 (/i a ) = § — 1 - A<, (/i 2 ) (12) 
In a similar manner, when e is odd we get a(x) <i yb(x) and 

A/i < A6 + 1 - A^^/u) - 1 = ^ - Ag + A x Kl (h 2 ) 

Af 2 = Ab-A x <l (h 2 ) =^-A x <l (h 2 ) (13) 

In either of the above cases, we see that if e < Ag, one of the bounds for A/i and A/2 will be negative, in which case either 
fi or f-2 will be zero. This in turn means that a(x) — yb(x) will be a multiple of either h^ or h 2 , namely the one which has 
the same y-degree as a(x) — yb(x) under <x. As A(x) is square-free, a(x) and b(x) must be relatively prime, so this multiple 
must be a constant. This corresponds to Patterson's decoder Q, except that there the BMA is used instead of the EA to solve 
([Tol l. This requires an initial transformation of (110t . and an "inverse" transformation on the output of the BMA. 

In case fx and f 2 are both non-zero, spurred on by the success of the last section, we would like to be able to find them using 
rational interpolation. However, in the last section, we knew that the evaluation of the target polynomial A(x) would be in 
at least e positions; for neither a{x) nor b(x) do we have such information. We therefore first need to re-enter (fTTT i into their 
defining expression: A(.t) = a 2 (x) +xb 2 (x). Let first h\(x,y) = hio(x) + yhn(x) and h 2 (x,y) = h 2 o(x) +yh 2 i(x). Then 
using ( fTTT i, we get 

A(x) = (h(x)h w (x) + f 2 (x)h 20 (x)) 2 
+x(f 1 (x)h 11 (x) + f 2 (x)h 21 (x)f 
= f!(x)(h 2 w (x) + xh 2 n (x)) + fl(x)(hj (x) + xhUx)) 

Similarly to the preceding section, for at least e values of xq € L, we now know that A (.To) = 0. For these e values of .To, by 
the above, we therefore have 

fi(xo)\/h 1 (xo) + h{xo)\J h 2 {x a ) = 

where /ii(t) = h\ n (x) + xhl 1 (x) and h 2 (x) = h 20 (^x) + xh 21 (x). For us to be able to use Theorem|6] we have then only to 
certify that /1 and f 2 are coprime, and that hi and h 2 will never simultaneously evaluate to zero. But the former is true since 
a and b are coprime which is due to A being square-free, and the latter is true since hi(x,y) and h 2 (x,y) are coprime. We 
have therefore finally arrived at a rational interpolation problem. 

We will again use the results of Section [III] to solve this problem for some values of e, n, Ag. The next section is concerned 
with that analysis. The complete list decoder is shown in Algorithm [2] 

Remark: As mentioned, Patterson's original algorithm Q solves ( TTOb using the BMA. One could possibly also extend this 
for list decoding using rational interpolation. However, a transformation is needed for letting the BMA solve ilOi , and this 
makes the details for rational interpolation less straight-forward. One should also note that the BMA and the EA in their 
straightforward implementations have the same asymptotic running time O(0 2 ) (see e.g. Q), and that both admit a recursive 
version with asymptotic running time 0(9 log 2 6), where 9 is the degree of the ingoing polynomials (see e.g. l30l Chapter 
11.7] respectively EH Chapter 8.9]). ■ 



C. Analysis of the parameters 

For a given decoding radius t, we want to know whether we can construct a Q(x,y,z) such that whenever e < t, we can 
find fi and f 2 in the manner specified in Theorem [6] and we want values for the parameters of £ and s. 

We should set w\, w 2 inspired by ( fT2l and ( TT3b . but we need just one set of values which will cover both the even and odd 
cases. Therefore, we use for both /1 and f 2 the larger of the degree bounds: 



w 1 = i-Ag + A x <1 {h 2 ) 
W2 = ^-^ x <1 (h 2 ) 



(14) 
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Now define w = w\ + w 2 = t — Ag — \. Note that w and either W\ or w 2 will not be integer. Inserting the value for w and 
rearranging, (O becomes 



1 ( (£ + 1\ Ag + \ Js + \ 



n < (l + l)(l-2s) {{ 2 )-^-\ 2 )) (15) 

if we assume that £ > 2s. Just as we before found that the governing equation for Algorithm Q] is parallel to that of the GSA, 
the above equation is parallel to the governing equation of the GSA+KV: using e.g. |fl9l Lemma 9.7] and setting the two 
multiplicities as r = I — s and f = swe achieve the same equation. This means that Algorithm [2] has the same decoding radius 
as the GSA+KV when the choice of the two multiplicities are restricted thusly. From 1 19, Problem 9.9], the choice r = I — r 
exactly maximises the decoding radius which is then given in JT9, Problem 9.10]. We also get f < r so r < £/2 and hence 
in our case I > 2s; this is also what we assumed at (fT~5T > which means we can indeed reuse the analysis from the GSA+KV. 

Lemma 16. Algorithm\2\can list decode for any r < — ^ yj n(n — 4Ag — 2). 

Proof: With the above duality, we have already established that for any given r less than the given decoding radius we 
can select values of s and I such that the sought /1 and f 2 can be found whenever e = r. We again have to employ Lemma 
[7] in order to guarantee that /1 and f 2 will be found when e < r. The lemma promises this if we can satisfy 

min{wi - A/i,w 2 - A/ 2 } > f (r- e) 

Using ( fT2b . ( fT3l ) and ( TBi i. we see that wi — A/i > § — |_f J — h.( T ~ e )' both when e is even and when it's odd. Similarly 
for W2 — A/2. The condition of Lemma [7j is then always satisfied as long as I > 2s. This we already assumed at ( TT3T >. □ 

Remark: It is the necessity of having to use Lemma [7j that adds the peculiar complication on the setting of w\ and w 2 . If we 
choose a r, we will know its parity, so we could choose w 2 and w 2 from (TTZt or ([Ok according to that parity. This would 
allow us to decode exactly r errors; analysis shows that in that case one could choose any r < |n — \\J n(n — 4Ag — 4), 
i.e. slightly greater than the binary Johnson radius. However, the condition of Lemma [7] would then not always be true so we 
would not always be able to correct fewer errors. This is the reason of having to set Wi and w 2 as in ( fT4l . 

Interestingly, if we allow two runs of the rational interpolation procedure instead of just one, we can achieve the decoding 
radius r < \n — ^y/n(n — 4Ag — 4) and still also decode fewer than r errors: let the first run be responsible for finding 
those error locators corresponding to even number of errors, and the second run for the odd number of errors. For each run 
we then only need a looser version of Lemma |7j where only a number of points with the right parity need to be interpolated 
as well. Then we can set wi,w 2 according to dTZb in the even-parity run, and similarly wi,w 2 from (fT3l ) in the odd-parity 
run. This yields the mentioned decoding radius. ■ 

Lemma 17. For given n, Ag and r, then I and s are valid choices for the parameters for Algorithm [2] ;/ and only if £, 
r = £ — s and f = s are valid parameters for the GSA+KV as described in M9\ §9.67- 

For closed expressions for valid values of the parameters I and s, one can use the analysis of Trifonov and Lee [8| which 
works for any application of the rational interpolation method. 

Algorithm 2 Wu list decoding binary Goppa codes 

Input: A binary Goppa code C with Goppa polynomial g(x) € F 2 ™ [x] and evaluation points a 0j ctn-i. a decoding radius 

t < |n — hs/n — 4Ag — 2, and a received word r € ¥ 2 . 
Output: A list of all codewords in C within radius r of r or Fail if there are no such words. 

1: Calculate the syndrome S(x) from r according to (Jvj. If S^ 1 (x) = x and £ L, then flip the corresponding bit of 

r and return that word. If 5 ,_1 (a;) = x and ^ L, return Fail. Otherwise, calculate S(x) satisfying AS < Ag and 

S 2 (x) = x + S^ 1 (x) mod g(x). 
2: Run the EA on g(x),S(x) and halt when As; < Aw ; + 1, reusing the notation of Section HT1 Define hi(x) = s|_ 1 (x) + 

xvf_ 1 (x) and h 2 (x) = sf(x) +xvf(x). 
3: If either h\{x) or h 2 (x) are valid error-locators of degree at most 2Ag — r, use that to decode, and if this yields a word 

in C, return this one word. 

4: Otherwise, we seek fi,f 2 according to (fTTT l. Set wi,w 2 as in ( fT4] >. and calculate £ and s to satisfy ( fT5] l. Construct a 

Q(x, y, z) satisfying the requirements of Theorem [6] using the points { (04, \J hi(<Xi), \J h 2 (cei)) 
5: Find all factors of Q(x, y, z) of the form yf*{x) + zf 2 (x) where /* and f 2 have degree less than Wi and w 2 respectively. 

Return Fail if no such factors exist. 
6: For each such factor, construct A*(x) = f* 2 (x)hi(x) + f 2 2 (x)h 2 (x). If it is a valid error-locator, use it for decoding r. 

Return Fail if none of the factors yield error-locators 
7: Return those of the decoded words that are in C. Return Fail if there are no such words. 
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D. Complexity Analysis 

Again, the complexity of Algorithm [2] is easily found using the results of Section UlI-AI For simplicity, we will assume that 
2™ e Oln). In that case, as £ > s, steps 4 and 5 can be computed in 0(1^ sn\og°^ (£n)). The remaining steps are of lower 
order, seen using arguments similar to those in Section IIV-DI 

Lemma 18. If2 m e 0(n) then Algorithm\2\has complexity 0(£ u sn\og° {1) (In)). 

The GSA+KV can decode binary Goppa codes - in fact any alternant code - up to the small-field Johnson bound. Also here, 
the bottle-neck of the complexity is the construction of the interpolation polynomial. Bernstein in |fl5l gives an algorithm for 
constructing this fast, and in terms of I and n and relaxing s, r and f to t, it has the same complexity as the above. 

However, similarly to Section HV-DI one should note that s = f < t/2 and r = £ — f > £/2, and the difference between s and 
r increases with the rate of the code. From this view, one would therefore expect that Algorithm [2] outperforms the GSA+KV, 
though the asymptotic analysis we have performed here is too crude to say for certain. 

VI. Conclusion 

In this article, we have reinvestigated the Wu list decoder of jT|. Originally formulated in tight integration with the Berlekamp- 
Massey algorithm, we have shown how the extended Euclidean algorithm can be used instead, enabling one to solve more 
general equations than the original Key Equation for Generalised Reed-Solomon codes. 

At its core, the Wu list decoder solves a rational interpolation problem in a manner mirroring the polynomial interpolation of 
the Guruswami-Sudan algorithm (GSA). We have pointed out how this equation becomes the one of the GSA by a change of 
variables, implying that their decoding radii and list sizes are the same, as well as connecting the multiplicities. 

The most expensive part of solving the rational interpolation problem is the construction of an interpolation polynomial. We 
have shown how to extend methods used in the GSA for constructing this polynomial fast. The result is that the Wu list 
decoder can be made to run in the same complexity as the fastest variants of the GSA. 

The decoupling of the Key Equation-solving and rational interpolation from the actual decoding results in a short derivation of 
the list decoder for GRS codes. Moreover, it makes it clear that the approach also can be used to extend the Patterson decoder 
for binary Goppa codes, list decoding up to the binary Johnson radius. Also here, a connection to the governing equation of 
the GSA with the Kotter-Vardy multiplicity assignment method is pointed out. 
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